diff --git a/Cargo.lock b/Cargo.lock
index badd78b..ed06d7e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -652,6 +652,15 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de"
 
+[[package]]
+name = "openssl-src"
+version = "111.9.0+1.1.1g"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2dbe10ddd1eb335aba3780eb2eaa13e1b7b441d2562fd962398740927f39ec4"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "openssl-sys"
 version = "0.9.56"
@@ -661,6 +670,7 @@ dependencies = [
  "autocfg",
  "cc",
  "libc",
+ "openssl-src",
  "pkg-config",
  "vcpkg",
 ]
@@ -1046,6 +1056,7 @@ version = "0.1.0"
 dependencies = [
  "bytes",
  "futures",
+ "openssl",
  "preserves",
  "serde",
  "serde_bytes",
diff --git a/Cargo.toml b/Cargo.toml
index 0e19f96..350dddb 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,6 +4,9 @@ version = "0.1.0"
 authors = ["Tony Garnock-Jones <tonyg@leastfixedpoint.com>"]
 edition = "2018"
 
+[features]
+vendored-openssl = ["openssl/vendored"]
+
 [profile.release]
 debug = true
 
@@ -30,3 +33,6 @@ tokio-tungstenite = "0.10.1"
 tracing = "0.1.14"
 tracing-subscriber = "0.2.5"
 tracing-futures = "0.2.4"
+
+# Only used for vendored-openssl, which in turn is being used for cross-builds
+openssl = { version = "0.10", optional = true }
diff --git a/Makefile b/Makefile
index 5ad7525..ac646e8 100644
--- a/Makefile
+++ b/Makefile
@@ -19,13 +19,25 @@ binary-release:
 binary-debug:
 	cargo build --all-targets
 
+# OK, rather than doing it myself (per
+# https://eighty-twenty.org/2019/10/15/cross-compiling-rust), it turns
+# out past a certain level of complexity we need more than just a
+# linker but also a C compiler, compatible headers, and so forth. This
+# proved nontrivial. The Rust team maintains a docker-based
+# cross-compilation environment that's very easy to use, so instead,
+# I'll just use that!
+#
+# cargo install cross
+#
+# The `vendored-openssl` thing is necessary because otherwise I'd have
+# to mess about with getting a musl build of openssl, plus its headers
+# etc, ready on my system despite being otherwise able to rely on
+# cross. I think. It's a bit confusing.
+
 arm-binary: arm-binary-release
 
-arm-binary-setup:
-	rustup target add armv7-unknown-linux-musleabihf
+arm-binary-release:
+	cross build --target=armv7-unknown-linux-musleabihf --release --all-targets --features vendored-openssl
 
-# sudo apt install binutils-arm-linux-gnueabihf
-arm-binary-release: arm-binary-setup
-	CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_LINKER=arm-linux-gnueabihf-ld cargo build --target=armv7-unknown-linux-musleabihf --release --all-targets
-arm-binary-debug: arm-binary-setup
-	CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_LINKER=arm-linux-gnueabihf-ld cargo build --target=armv7-unknown-linux-musleabihf --all-targets
+arm-binary-debug:
+	cross build --target=armv7-unknown-linux-musleabihf --all-targets --features vendored-openssl